February 13, 2010

Criminals have co-opted a column I wrote last week about ZeuS Trojan attacks targeted at government and military systems: Scam artists are now spamming out messages that include the first few paragraphs of that story in a bid to trick recipients into downloading the very same Trojan, disguised as a Microsoft security update.

Hat tip to security firm Sophos for spotting this vaguely elliptical attack. It is sometimes said tongue-in-cheek that plagiarism is the sincerest form of flattery, but I wish these crooks would find some other way of expressing their admiration.

The thing is, these sorts of copycat scams also serve as as a sort of token reputation attack, a sly dig that is often aimed at security researchers. For example, Jeffrey Carr, the author of the recent book Inside Cyber Warfare and a frequent publisher of information on the sources of large scale cyber assaults, told me that a similar spam campaign a few days ago that mimicked the targeted .mil and .gov Zeus attacks was made to look like it came from his e-mail address. Carr said the campaign that abused his name probably was in response to his recent blog post about the .mil and .gov attacks.

13 thoughts on “Warning About ZeuS Attack Used as Lure

  1. Fausto

    I guess there is nothing we can do about it. Just -like u did- warn us and suggest that we come here to read your blog postings and not using links in email (spam).

    1. Joe

      I think that this type of activities will continue going on until the penalties outweigh the rewards. The day that these individuals are hunted as drug dealers and do real hard time in prison. Until then, we will continue living with these annoyances that end up costing billions of dollars a year in productivity and data lost.

  2. Gannon

    “It is sometimes said tongue-in-cheek that plagiarism is the sincerest form of flattery, but I wish these crooks would find some other way of expressing their admiration.”

    Journalists get the joke, there should be some comfort in that.

  3. TheGeezer

    “It is sometimes said tongue-in-cheek that plagiarism is the sincerest form of flattery, but I wish these crooks would find some other way of expressing their admiration.”

    Well they did name one of their phishing sites after you didn’t they? I just don’t think they’re into valentine cards… or wait… maybe they are… better not to open it though… it’s the thought that matters anyway.

  4. Bill Newhouse

    In the ever challenging balance between security & privacy on the internet, you might wish to start a thread about the technologies or processes that could protect one’s reputation and the barriers to adoption of such things.

    1. TheGeezer

      Just to put my 2 cents worth in here… this appears to be the same type of exploit used when faking bank, IRS, SSA and other security software emails. The only difference is that now Brian has been added to the list of email sources to fake.

      It seems it would take the same type of precautionary measures as used with other fake emails.

  5. Wayfarer

    I agree with Bill’s comment and suggestion. There really is no single place that I’ve been able to find such information.

  6. MichaelFigueroa

    One thing to note, however, is that these types of reputation attack are largely successful due to the poor design of modern email systems. As a commodity that has been around for far longer than the browser, email systems have had a remarkably poor rate of evolution by comparison.

    A key failure (largely shared with modern http design) is the general inaccessibility of email authenticity verification. You would think that we could have solved the signature problems by now, but the industry has largely ignored it in light of historical PKI/PGP distribution and use difficulties. With no method of assessing authenticity, users cannot trust anything that comes into their inbox. As such, they simply choose to trust everything. It’s a shame, but what choice do they truly have?

    This is an area that I think Lotus Notes has always done well (though…admittedly one of the few things). Every user on a Lotus infrastructure receives a verifiable credential. They’re not told that it’s a digital certificate or anything, but they gain all of the benefits in the background.

    I would love to see Google, Yahoo!, or Microsoft deploy a similar “background” authenticity system. With the power of either of them behind such an innovation, I bet that we would make a lot of progress on really defeating both reputation attacks and phishing attacks in general.

    1. Patrick Connors

      That is a nice idea, but since infiltration and overriding of security systems is part of the general discussion here, do you think that this background authentication system would eventually come under attack or misuse also?

      I think they all will. (Theoretically at least.)

    2. TheGeezer

      Correct me if I’m wrong here Michael but I don’t think an authenticity check would have stopped this exploit.

      Sophos said that the email “appeared to have been sent by the National Security Council”. I doubt that they, zeus, tried to use an existing valid email address belonging to the National Security Council but rather made up an address that looked similar. Therefore, there would have been no authentification error.

      One thing most email servers do do well is check for known viruses. So once that link for the ‘security update’ was reported it would probably not make it through many email servers.

      I found this out the hard way by informing a friend about a malicious url and was naive enough to put the entire url in my email. The email servers picked up on that, my friend never received the email, and I got put on an email black list!

      So, let that be a warning to others. If you are discussing fraud with people by email DO NOT put the fraudulent URL involved in the body of your email. Replace the dots with spaces or whatever so that it will not be interpreted as a link!

      1. MichaelFigueroa

        It depends on what kind of authenticity check you leverage. What I’m proposing is a publicly-available infrastructure that enables people and organizations to verify that the email source is legitimate. Imagine it as a background level certificate authority that provides trusted certs that businesses can integrate into their email servers and that public email systems can integrate into their services. Verification can be done at an organizational level without the need to distribute user certs (though, that extension would be nice for those of us who know what we’re doing). It would definitely require changes in server software (Microsoft) and the deployment of the infrastructure (Google) and may also require protocol changes.

        Can it be attacked? Sure, but the likelihood of a successful root-level attack against a savvy adversary, such as Google, is unlikely and would be limited. The more likely attack would be an internal organization attack, but then the organization could be held liable by its user population to a much greater degree than it can today.

  7. patrick

    This just came to my attention. Is WOT which places a little green circle beside the links while browsing in google. But i heard that WOT is a spyware is this ture.

    Mr Kreds

Comments are closed.